Additional Links

Target: Customers' encrypted PINs were stolen (has video)

By Mae Anderson and Barbara Ortutay Associated Press

Dec 27 2013 2:33 pm

FILE - In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)

ATLANTA - Target said Friday that debit-card PIN numbers were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

--

Ortutay contributed from San Francisco.

Comments

Notice about comments:

The Post and Courier is pleased to offer readers the enhanced ability to comment on stories. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We ask that you refrain from profanity, hate speech, personal comments and remarks that are off point.

We do not edit user submitted statements and we cannot promise that readers will not occasionally find offensive or inaccurate comments posted in the comments area. If you find a comment that is objectionable, please click the X that appears in the upper right corner when you hover over a comment. This will send the comment to Facebook for review. Please be reminded, however, that in accordance with our Terms of Use and federal law, we are under no obligation to remove any third party comments posted on our website. Read our full terms and conditions.